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/)□ Claim(s) is/are objected to. 
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DETAILED ACTION 

1 . The response of 1 IIIIOQQ was received and considered. 

2. Claims 3, 5-1 2 & 1 9-21 ore pending. 

Response to Arguments 

3. Applicant's arguments with respect to claims 3, 5-12 & 19-21 hove been 
considered but ore moot in view of the new ground (s) of rejection. However, the 
following note is made. Applicant's response (p. 18) argues that neither Trcka nor 
Voidyo discloses probes or scons. However, any known attack or suspected attack 
con reasonably be interpreted as a probe or scon. For example, Voidyo, col. 8, 
discloses multiple access attempts by a user. While not explicitly stated, this is a probe 
because the user is trying to access the file. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art ore such that the subject matter as a whole would hove been obvious of the time the 
invention was mode to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 3, 6-7, 9 & 21 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over U.S. Patent 7,120,931 to Cheriton et ol. (Cheriton) in view of U.S. Patent 6,279,1 13 to 
Voidyo et ol. (Vaidya). 
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Regarding claim 3, Cheriton discloses receiving a plurality of messages (data, 
col. 5, lines 26-27) from a data sensor (router, col. 5, lines 26-27) located at a network 
audit point (netflow directory, col. 5, lines 26-27), each of said messages describing on 
event occurring on said communications netv^ork (data entering router), processing 
said messages to form connection sessions (flov^s) by clustering packets exchanged 
between two addresses within a specified time period (classifying flows based on 
source and destination, col. 5, lines 61-65, col. 6, lines 10-20, lines 39-42 & lines 56-61) 
where the addresses are not predetermined (the netflow directory clusters packets 
having a common source/destination, defined as a flow, col. 5, lines 61-65), grouping 
connection sessions into a plurality of groups (creating multiple aggregate filters, col. 7, 
lines 58-59), but locks scoring each group and generating on alert for each group 
whose score is greater than an empirically derived threshold. However, Voidyo 
teaches that a group of packets con be analyzed to recognize on attack by 
determining that the count of certain characteristics in the packet stream, such as on 
attempt to access a file, exceeds a threshold (col. 8, lines 1 6-39), where a notification 
can be sent to a reaction module (col. 8, lines 37-39). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to 
modify Cheriton to detect a surveillance probe by scoring the groups of flows and 
generate an alert for each group whose score is greater than on empirically derived 
threshold. One of ordinary skill in the art would have been motivated to perform such a 
modification to detect a potential attack, as taught by Vaidya. 

Regarding claim 6, Cheriton, as modified above by Voidyo, teaches generating 
a profile of surveillance activity (counter, col. 8, lines 30-31 ), said profile of surveillance 
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activity comprising one or more of tine following: the number of attacks per unit 
time/the temporal frequency trends of individual attacker (Z trying to access A) (event 
occurring a threshold number of times within a predetermined time interval, Vaidya, 

col. 8, lines 16-21). 

Regarding claim 7, Cheriton, as modified above by Vaidya, teaches processing 
one or more said detected surveillance probes to produce a detected surveillance 
scon (user Z making access request for file A, col. 8, lines 21-24), said processing of one 
or more said detected surveillance probes to produce a detected surveillance scan 
comprising one or more of the following: modeling and detecting surveillance scans 
performed by a particular source (user Z, col. 7, lines 36-39 & col. 8, lines 26-28) by 
identifying a source address (user Z) that generates more than a specified number of 
probes (threshold) within a specified time period (10 minutes, col. 8, lines 21-28). 

Regarding claim 9, Cheriton, as modified above by Vaidya, teaches generating 
a profile of surveillance activity (counter, col. 8, lines 30-31 ), said profile of surveillance 
activity comprising one or more of the following: the number of attacks per unit 
time/the temporal frequency trends of individual attacker (Z trying to access A) (event 
occurring a threshold number of times within a predetermined time interval, col. 8, lines 
16-21). 

Regarding claim 21 , Cheriton discloses limiting the number of analyzed flows by 
reporting only source addresses that have a particular characteristic (for instant, all with 
a source of 3.xxx.xxx.xxx, col. 7, lines 33-52) and since Cheriton groups packets into 
flows, Cheriton discloses limiting the number of analyzed flows by reporting only source 
address groups that have certain characteristics (a source address group being 
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3.XXX.XXX.XXX and 3.141 .xxx.xxx, col. 7, lines 50-57), but lacks explicitly that the groups ore 
reported based on a specified number of probes within a specified period of time. 
However, as described above with respect to claim 7, Voidyo teaches that a group of 
packets can be analyzed to recognize an attack by determining that the count of 
certain characteristics in the packet stream, such as on attempt to access a file, 
exceeds a threshold (col. 8, lines 16-39) within a predetermined period of time (col. 8, 
lines 26-28), where a notification con be sent to a reaction module (col. 8, lines 37-39). 
Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was mode to modify Cheriton's flow classification to limit flows (detected 
scans) by reporting only source addresses and groups of source addresses that perform 
more than a specified number of probes (access attempts) within a specified time. 
One of ordinary skill in the art would have been motivated to perform such a 
modification to detect a potential attack, as taught by Vaidya. 

6. Claims 5 & 8 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Cheriton and Vaidya, as applied to claims 3 & 7 above, in view of U.S. Patent 
Application Publication 2003/0188189 to Desai et al. (Desoi). 

Regarding claim 5, Cheriton lacks controlling false positive detections versus false 
negative detections. However, Desai teaches an intrusion detection system that 
establishes an intrusion by comparing various activities to thresholds and as such 
teaches that adjusting pre-tuned thresholds improves accuracy and reduces the 
number of false positives (1160). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to modify Cheriton (as 
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modified above by Voidyo) to include a mechanism for adjusting the metrics used to 
determine intrusions (such as an intrusion rate of col. 8, lines 1 6-39). One of ordinary skill 
in the art would have been motivated to perform such a modification to reduce the 
number of false positives, as taught by Desoi (1160). 

Regarding claim 8, Cheriton lacks controlling false positive detections versus false 
negative detections. However, Desoi teaches on intrusion detection system that 
establishes on intrusion by comparing various activities to thresholds and as such 
teaches that adjusting pre-tuned thresholds improves accuracy and reduces the 
number of false positives (1160). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to modify Cheriton (as 
modified above by Voidyo) to include a mechanism for adjusting the metrics used to 
determine intrusions (such as on intrusion rote of col. 8, lines 1 6-39). One of ordinary skill 
in the art would have been motivated to perform such a modification to reduce the 
number of false positives, as taught by Desai (1160). 

7. Claims 1 0 & 1 2 ore rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Cheriton and Vaidya, as applied to claim 7 above, in view of U.S. Patent 6,424,654 to 
Daizo. 

Regarding claim 10, Cheriton discloses the grouping of scanning hosts 
comprising modeling and detecting scons distributed across a series of source 
addresses by grouping addresses, (col. 7, lines 44-57, where the detection causes 
filtering of traffic from on IP address range; upon further investigation, the IP address 
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range can be limited to a more narrow range). This section also describes how the flow 
analyzer will cause filtering of all packets from, for example, an ISP suspected of hosting 
an attacker and once the attacker is identified, only analyzing and filtering packets 
from the attacker. Cheriton lacks subtracting one address from another and placing 
the two addresses in the same group if the difference is less than a specified amount. 
However, Daizo teaches that a client can be limited to a single DHCP server because a 
DHCP server is known to give out a certain range of IP addresses (col. 5, lines 22-27). 
The client has a reference address and subtracts from the reference address received 
IP addresses from different DHCP servers; the address with the smallest distance from 
the reference is the correct DHCP server (col. 5, lines 27-45). Therefore, it would have 
been obvious to one having ordinary skill in the art at the time the invention was made 
to modify Cheriton, as modified by Vaidya, to perform the grouping of addresses by 
subtracting a received IP address from one IP addresses of detected potentially harmful 
traffic and if it is within a certain range (such as the range described in Cheriton, col. 7, 
lines 49-56), grouping two the together. One of ordinary skill in the art would have been 
motivated to perform such a modification to determine if on IP address is within a 
certain range and hence to detect and filter all potentially harmful traffic from an ISP 
using a simple arithmetic method, as taught by Daizo (col. 2, lines 57-59). 

Regarding claim 12, Cheriton discloses generating a profile of surveillance 
activity (Vaidya's counter, col. 8, lines 30-31), said profile of surveillance activity 

comprising one or more of the following: the number of attacks per unit time/the 
temporal frequency trends of individual attacker (Z trying to access A) (event occurring 
a threshold number of times within a predetermined time interval, col. 8, lines 1 6-21 ). 
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8. Claim 1 1 is rejected under 35 U.S.C. 103(a) as being unpatentable over Cheriton, 
Vaidya and Daizo, as applied to claim 10 above, in further viev^ of Desai. 

Regarding claim 1 1 , Cheriton, as modified above, locks controlling false positive 
detections versus false negative detections. However, Desai teaches an intrusion 
detection system that establishes on intrusion by comparing various activities to 
thresholds and as such teaches that adjusting pre-tuned thresholds improves accuracy 
and reduces the number of false positives (1160). Therefore, it would hove been obvious 
to one having ordinary skill in the art at the time the invention was made to modify 
Cheriton to include a mechanism for adjusting the metrics used to determine intrusions 
(such as on intrusion rote of col. 8, lines 1 6-39). One of ordinary skill in the art would 
hove been motivated to perform such a modification to reduce the number of false 
positives, as taught by Desai (1160). 

9. Claim 19 is rejected under 35 U.S.C. 103(a) as being unpatentable over Cheriton 
and Vaidya, as applied to claim 3 above, in view of U.S. Patent 6,453,345 to Trcko et ol. 
(Trcica). 

Regarding claim 19, Cheriton lacks the steps listed. However, Trcka teaches that 
it is beneficial to analyze incoming packets for invalid data (such as a non-existent LAN 
address, col. 1 5, lines 51-52) to determine if a packet should be further analyzed (col. 
15, lines 37-39) by setting a flog (col. 15, lines 50-51), where the flog is analyzed to 
determine if the packet is recorded for processing (col. 1 5, lines 58-62). Therefore, it 
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would have been obvious to one having ordinary sl<ill in the art at the time the invention 
was made to modify Cheriton to identify paclcets that have a particular arrangement 
of flags set (flagged as GOOD or BAD). One of ordinary skill in the art would have been 
motivated to perform such a modification to determine if the packet should be further 
analyzed, as taught by Trcko. 

1 0. Claim 20 is rejected under 35 U.S.C. 1 03(a) as being unpatentable over Cheriton 
and Vaidya, as applied to claim 3 above, in view of U.S. Patent Application Publication 
2002/0174362 to Ullmann et al. (Ullmann). 

Regarding claim 20, Cheriton lacks the steps listed. However, Ullmann teaches 
that small packets are less efficiently stored throughout a network (HIS) and therefore if 
it useful to determine packets having a size smaller than a predetermined threshold so 
that an administrator can be alerted to the source of the small packets (HI 8). 
Therefore, it would hove been obvious to one having ordinary skill in the art at the time 
the invention was made to modify Cheriton to identify connections (flows) with packets 
whose payloads are smaller than a predetermined limit. One of ordinary skill in the art 
would have been motivated to perform such a modification to identify wasteful 
packets on a network, as taught by Ullmann. 



Conclusion 



Art Unit: 2134 

1 1 . Applicant's amendment necessitated the new ground (s) of rejection presented 
in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing dote of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed 
until after the end of the THREE-MONTH shortened statutory period, then the shortened 
statutory period will expire on the date the advisory action is mailed, and any extension 
fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing dote of the advisory 
action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL J. SIMITOSKI whose telephone number is 
(571 )272-3841 . The examiner can normally be reached on Monday - Thursday, 6:45 
a.m. - 4:15 p.m.. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 ) 272-381 1 . The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of on application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
hove questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 
Customer Service Representative or access to the automated information system, coll 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/M. J.S./ 

Examiner, Art Unit 2134 



/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2134 
03/05/08 



